Closed
Bug 1033006
Opened 10 years ago
Closed 10 years ago
Use-after-free bug in BasicCodeModules::BasicCodeModules
Categories
(Toolkit :: Crash Reporting, defect)
Toolkit
Crash Reporting
Tracking
()
RESOLVED
FIXED
mozilla33
People
(Reporter: jchen, Assigned: jchen)
References
Details
(Keywords: csectype-uaf)
Attachments
(2 files)
|
1.51 KB,
patch
|
ted
:
review+
|
Details | Diff | Splinter Review |
|
1.32 KB,
patch
|
Details | Diff | Splinter Review |
In BasicCodeModules::BasicCodeModules, if RangeMap::StoreRange fails for whatever reason, the |module| pointer is immediately freed at the end of the StoreRange call because of the temporary linked_ptr object passed in as a parameter. However, the code calls |module->code_file()| immediately afterwards, therefore using |module| after it has been freed.
[1] http://mxr.mozilla.org/mozilla-central/source/toolkit/crashreporter/google-breakpad/src/processor/basic_code_modules.cc?rev=83c09fe3a658#67
|
Assignee | |
Comment 1•10 years ago
|
||
I will get this reviewed upstream if it looks good.
Attachment #8450357 -
Flags: review?(ted)
|
||
Comment 2•10 years ago
|
||
Comment on attachment 8450357 [details] [diff] [review]
Don't free pointer in BasicCodeModules::BasicCodeModules before possibly using it (v1)
Review of attachment 8450357 [details] [diff] [review]:
-----------------------------------------------------------------
Good catch. I can land this upstream for you if you remind me.
Attachment #8450357 -
Flags: review?(ted) → review+
|
|
Assignee | |
Comment 3•10 years ago
|
||
|
||
Comment 5•10 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla33
|
|
||
Comment 6•10 years ago
|
||
Flags: needinfo?(ted)
|
||
Updated•8 years ago
|
Keywords: csectype-uaf
You need to log in
before you can comment on or make changes to this bug.
Description
•